CoinHive is an online service which provides cryptocurrency miners (crypto mining malware) that can be installed on websites using JavaScript. The JavaScript miner runs in the browser of the website visitors and mines coins on the Monero blockchain. It is promoted as an alternative to placing advertising on the website. And turns out, it is being used by hackers as end customers of a website by infected the website in the first place.
To mine the Monero coin using CoinHive, all you have to do is place a small JavaScript snippet in the header/footer of your website. When a visitor comes to the site, the CoinHive JavaScript gets activated and starts utilizing the CPU power available to it. With 10–20 active miners on the site, the average monthly revenue is about 0.3 XMR (~$109). To multiply their revenue, hackers have been exploiting vulnerable websites by injecting crypto mining malware (CoinHive)
While CoinHive itself is not a malicious service, it has been extensively used by hackers to mine coins using . As a result, many malware scanners and security agencies have blacklisted the domain.
Flagged Domains Hosting the Crypto Mining Code
We have compiled a list of 3rd party domains that have been seen to host as CoinHive code using by the malware. The names of the JavaScript scripts are intentionally named after common file names so that they appear to be legitimate and webmaster doesn't get suspicious on seeing them.
- ads.locationforexpert[.]com
- camillesanz[.]com/lib/status.js
- security.fblaster[.]com
- fricangrey[.]top/redirect_base/redirect.js
- alemoney[.]xyz/js/stat.js
- africangirl[.]top/redirect_base/redirect.js
- ribinski[.]us/redirect_base/redirect.js
- aleinvest[.]xyz/js/theme.js
- babybabybabyoooh[.]net/beta.js
- www.threadpaints[.]com/js/status.js
- oneyoungcome[.]com/jqueryui.js
- wp-cloud[.]ru
- doubleclick1[.]xyz
- doubleclick2[.]xyz
- doubleclick3[.]xyz
- doubleclick4[.]xyz
- doubleclick5[.]xyz
- doubleclick6[.]xyz
- api[.]l33tsite[.]info
- ws[.]l33tsite[.]info
Finding the crypto mining malware(CoinHive)
If you detect that your website has been running crypto-mining scripts without your knowledge, it is highly likely that your website is hacked or has been infected. Here are some steps you can take to identify if your website is hacked:
Fixing Crypto Mining Coinhive Malware WordPress
We’ve seen that core WordPress files have been modified to place the malware code. In many cases, the theme files have also been hijacked to place the JavaScript crypto mining code. The malware checks the user-agent of the request and only includes the malicious JS code if the visitor it not a search engine bot from Google/Bing/Yahoo etc.
Malicious code infecting the headers.php file in WordPress themes Some of the files you should check and compare for modifications:
- index.php
- wp-admin/admin-header.php
- wp-includes/general-template.php
- wp-includes/default-filters.php
- wp-includes/manifest.php.
- Look for unrecognized code in header.php in your theme folder
- functions.php
Fixing Crypto Mining Coinhive Malware for Magento
If you are using Magento, look for crypto mining malware in the database. Open the 'core_config_data table' table using a tool like phpMyAdmin and look for the value of design/head/includes. Examine the code and remove any JavaScript files being included there using the
